Hackers abusing digital certs smuggle malware past security scanners

No longer just a spy game

Malware writers are widely abusing stolen digital code-signing certificates, according to new research.

Malware that is signed with compromised certificates creates a means for hackers to bypass system protection mechanisms based on code signing. The tactic extends far beyond high profile cyber-spying ops, such as the Stuxnet attack against Iranian nuclear processing facilities or the recent CCleaner-tainted downloads infection.

Security researchers at the University of Maryland found 72 compromised certificates after analysing field data collected by Symantec on 11 million hosts worldwide. "Most of these cases were not previously known, and two thirds of the malware samples signed with these 72 certificates are still valid, the signature check does not produce any errors," Tudor Dumitras, one of the researchers, told El Reg.

"Certificate compromise appears to have been common in the wild before Stuxnet, and not restricted to advanced threats developed by nation-states. We also found 27 certificates issued to malicious actors impersonating legitimate companies that do not develop software and have no need for code-signing certificates, like a Korean delivery service."

Malware creators may not even need to control a code-signing certificate. The Maryland Cybersecurity Centre team found that simply copying an authenticode signature from a legitimate file to a known malware sample — which results in an invalid signature — can cause antivirus products to stop detecting it.

"This flaw affects 34 antivirus products, to varying degrees, and malware samples taking advantage of this are also common in the wild," Dumitras said.

A paper on the topic, Certified Malware: Measuring Breaches of Trust in the Windows Code-Signing PKI (PDF), is due to be presented at the CCS conference in Dallas, TX, on Wednesday. The researchers plan to release a list of the abusive certificates at signedmalware.org.

A separate study by the Cyber Security Research Institute (CSRI), out this week, uncovered code-signing certificates readily available for purchase on the dark web for up to $1,200 (£902).

Code-signing certificates are used to verify the authenticity and integrity of computer applications and software. Cyber criminals can take advantage of compromised code-signing certificates to install malware on enterprise networks and consumer devices.

"We've known for a number of years that cyber criminals actively seek code-signing certificates to distribute malware through computers," said Peter Warren, chairman of the CSRI. "The proof that there is now a significant criminal market for certificates throws our whole authentication system for the internet into doubt and points to an urgent need for the deployment of technology systems to counter the misuse of digital certificates."

Code-signing certificates can be sold many times over, according to Venafi, a security firm that specialises in the protection of machine to machine identity protection. ®